Frameworks
In-depth guides and analysis on frameworks from the Safeguard engineering team.
12 articles
NIST AI RMF Cybersecurity Profile (NIST IR 8596 Draft)
NIST released the preliminary draft Cybersecurity Framework Profile for AI (NIST IR 8596) in December 2025, addressing the intersection of AI and cybersecurity from three angles.
OWASP Top 10:2025 RC1: Software Supply Chain Failures Becomes Its Own Category
The OWASP Top 10:2025 release candidate, published November 2025, splits Vulnerable Components into a broader Software Supply Chain Failures category and elevates Security Misconfiguration to #2.
SLSA v1.2 Source Track: What Changed in November 2025
SLSA v1.2 was approved in November 2025 and finally completes the Source Track that v0.1 only sketched. We break down the new source levels and what producers must change.
MITRE ATT&CK v18: Detection Strategies Replace Data Sources
ATT&CK v18 released October 28, 2025, replacing traditional Detections (Data Sources) with Detection Strategies and Analytics. Here is how the model changes for defenders.
OpenSSF Scorecard v5.1: Azure DevOps Support and File-Mode Selection
Scorecard v5.1 added experimental Azure DevOps repository support and a new --file-mode flag that materially changes how repository files are fetched.
OpenSSF Scorecard v6 Roadmap: OSPS Baseline Conformance
The Scorecard v6 proposal introduces PASS/FAIL/ATTESTED conformance against the OSPS Baseline, versioned probe mapping, and CI gating. Here is what consumers and maintainers need to know.
FedRAMP 20x KSIs: Compliance as Machine-Readable Evidence
FedRAMP 20x, launched March 2025, replaces document-heavy authorization with 56-61 Key Security Indicators submitted as OSCAL. Here is what cloud providers must actually automate.
gittuf Reaches OpenSSF Incubating: A Forge-Independent Git Security Layer
gittuf was promoted from OpenSSF Sandbox to Incubating in June 2025. We unpack the Reference State Log, policy model, and why it matters for SLSA Source L3.
GUAC v1.0: Supply-Chain Graphs Reach Stable in June 2025
GUAC v1.0 shipped on June 12, 2025. We unpack the GraphQL API surface, the parsers for CSAF, OpenVEX, SPDX, CycloneDX, DSSE, and what stable means for production deployments.
Software Supply Chain Security Maturity: Where Does Your Organization Stand?
Most organizations know they should care about software supply chain security, but few have a structured way to assess their maturity. A practical framework for evaluating and improving your posture.
SLSA v1.1 Build Track: What Approved Means for Adopters
SLSA v1.1 was approved in April 2025 with the Build track stabilized. We dig into the spec changes, what L2 and L3 verifiers must reject, and how producers should re-evaluate provenance.
OWASP LLM Top 10 2025: System Prompt Leakage and Vector Weaknesses
The OWASP Top 10 for LLM Applications 2025 added System Prompt Leakage and Vector/Embedding Weaknesses, and elevated Sensitive Information Disclosure to #2. Here is the defender view.